Your PC-BSD® system is secure by default. This section provides an overview of the built-in security features and additional resources should you like to learn more about increasing the security of your system beyond its current level.

Your PC-BSD® system is secure by default. This section provides an overview of the built-in security features and additional resources should you like to learn more about increasing the security of your system beyond its current level.

+

<!--T:3-->

The security features built into PC-BSD® include:

The security features built into PC-BSD® include:

−

* '''Naturally immune to viruses and other malware:''' most viruses are written to exploit Windows systems and do not understand the binaries or paths found on a PC-BSD® system. Antivirus software is still available in the Security section of [[Using AppCafe® | AppCafe®]] as this can be useful if you send or forward email attachments to users running other operating systems.

+

<!--T:4-->

+

* '''Naturally immune to viruses and other malware:''' most viruses are written to exploit Windows systems and do not understand the binaries or paths found on a PC-BSD® system. Antivirus software is still available in the Security section of {{local|link=AppCafe®}} as this can be useful if you send or forward email attachments to users running other operating systems.

−

* '''Potential for serious damage is limited:''' file and directory ownership and permissions along with separate user and group functions mean that as an ordinary user any program executed will only be granted the abilities and access of that user. A user that is not a member of the ''wheel'' group can not switch to administrative access and cannot enter or list the contents of a directory that has not been set for universal access. <!-- may need clarity but seems like a good bit of info to include - also is it intentional that only operator group can install PBIs? -->

+

<!--T:5-->

+

* '''Potential for serious damage is limited:''' file and directory ownership and permissions along with separate user and group functions mean that as an ordinary user any program executed will only be granted the abilities and access of that user. A user that is not a member of the ''wheel'' group can not switch to administrative access and cannot enter or list the contents of a directory that has not been set for universal access.<!-- may need clarity but seems like a good bit of info to include - also is it intentional that only operator group can install PBIs? -->

−

* '''Built-in firewall:''' the default firewall ruleset allows you to access the Internet and the shares available on your network. If there are no shared resources on your network, you can use [[Firewall Manager]] to further tighten the default ruleset. In addition, {{citelink|url=http://www.fail2ban.org/wiki/index.php/Main_Page|Fail2ban}} is installed. This service can be configred to identify possible break-in attempts and to respond with an action such as creating a firewall rule to ban the intruder. Instructions for configuring fail2ban can be found {{citelink|url=http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Usage|txt=here}}.

+

<!--T:6-->

+

* '''Built-in firewall:''' the default firewall ruleset allows you to access the Internet and the shares available on your network. If there are no shared resources on your network, you can use {{local|link=Firewall Manager}} to further tighten the default ruleset. In addition, {{citelink|url=http://www.fail2ban.org/wiki/|txt=Fail2ban}} is installed. This service can be configured to identify possible break-in attempts and to respond with an action such as creating a firewall rule to ban the intruder. Instructions for configuring fail2ban can be found on the {{citelink|url=http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Usage|txt=fail2ban wiki}}.

−

* '''Built-in Host-based Intrusion Detection System:''' PC-BSD® installs {{citelink|url=http://www.ossec.net/|OSSEC}} which can be configured to perform log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. If you have never used OSSEC before, take some time to read through its {{citelink|url=http://www.ossec.net/doc/|txt=manual}} to determine which features interest you and how to configure them.

+

<!--T:7-->

+

* '''Built-in Host-based Intrusion Detection System:''' PC-BSD® installs {{citelink|url=http://www.ossec.net/|txt=OSSEC}} which can be configured to perform log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. If you have never used OSSEC before, take some time to read through its {{citelink|url=http://www.ossec.net/doc/|txt=manual}} to determine which features interest you and how to configure them.

−

* '''Very few services are enabled by default:''' you can easily view which services are started at boot time using [[Service Manager]] or by reading through ''/etc/rc.conf''. You can also disable the services that you do not use by disabling that service in Service Manager or by commenting out that line with a ''#'' in ''/etc/rc.conf''.

+

<!--T:8-->

+

* '''Very few services are enabled by default:''' you can easily view which services are started at boot time using {{local|link=Service Manager}} or by reading through ''/etc/rc.conf''. You can also disable the services that you do not use by disabling that service in Service Manager or by commenting out that line with a ''#'' in ''/etc/rc.conf''.

−

* '''SSH is disabled by default:''' and can only be enabled by the superuser. This setting prevents bots and other users from trying to access your system. If you do need to use SSH, change the NO to a YES in the line ''sshd_enable='' in the file ''/etc/rc.conf''. You can start the service right away by typing '''/etc/rc.d/sshd start'''. You will need to add a firewall rule to allow SSH connections from the systems that require SSH access.

+

<!--T:9-->

+

* '''SSH is disabled by default:''' and can only be enabled by the superuser. This setting prevents bots and other users from trying to access your system. If you do need to use SSH, change the "NO" to a "YES" in the line ''sshd_enable='' in the file ''/etc/rc.conf''. You can start the service right away by typing '''/etc/rc.d/sshd start'''. You will need to add a firewall rule to allow SSH connections from the systems that require SSH access.

+

<!--T:10-->

* '''SSH root logins are disabled by default:''' if you enable SSH, you must login as a regular user and can use '''su''' or '''sudo''' when you need to perform administrative actions. You should not change this default as this prevents an unwanted user from having complete access to your system.

* '''SSH root logins are disabled by default:''' if you enable SSH, you must login as a regular user and can use '''su''' or '''sudo''' when you need to perform administrative actions. You should not change this default as this prevents an unwanted user from having complete access to your system.

−

* '''sudo is installed:''' and configured to allow users in the ''wheel'' group permission to run an administrative command if they know the root password. By default, the first user you create during installation is added to the ''wheel'' group. You can use [[User Manager]] to add other users to this group. You can change the default '''sudo''' configuration using the '''visudo''' command as the superuser.

+

<!--T:11-->

+

* '''sudo is installed:''' and configured to allow users in the ''wheel'' group permission to run an administrative command after typing their password. By default, the first user you create during installation is added to the ''wheel'' group. You can use {{local|link=User Manager}} to add other users to this group. You can change the default '''sudo''' configuration using the '''visudo''' command as the superuser.

+

<!--T:12-->

* '''{{citelink|wp|url=AES_instruction_set|txt=AESNI}} support is loaded by default''' for the Intel Core i5/i7 processors that support this encryption set. This support speeds up AES encryption and decryption.

* '''{{citelink|wp|url=AES_instruction_set|txt=AESNI}} support is loaded by default''' for the Intel Core i5/i7 processors that support this encryption set. This support speeds up AES encryption and decryption.

−

* '''Automatic notification of security advisories:''' [[Update Manager]] will automatically notify you if an update is available as the result of a {{citelink|url=http://www.freebsd.org/security/advisories.html|FreeBSD security advisory}} that affects PC-BSD®. This allows you to keep your operating system fully patched with just the click of a mouse.

+

<!--T:13-->

+

* '''Automatic notification of security advisories:''' {{local|link=Update Manager}} will automatically notify you if an update is available as the result of a {{citelink|url=http://www.freebsd.org/security/advisories.html|txt=FreeBSD security advisory}} that affects PC-BSD®. This allows you to keep your operating system fully patched with just the click of a mouse.

+

<!--T:14-->

If you would like to learn more about security on FreeBSD/PC-BSD® systems, '''man security''' is a good place to start. These resources provide more information about security on FreeBSD-based operating systems:

If you would like to learn more about security on FreeBSD/PC-BSD® systems, '''man security''' is a good place to start. These resources provide more information about security on FreeBSD-based operating systems:

Revision as of 17:11, 4 November 2013

(Sorry for the inconvenience)

Editor: please update template:UseTOC/9.2

Translator: please use {{UseTOC{{putVers}}|TOC}}

Protection (edit): sysopEdited by: Tigersharke

Your PC-BSD® system is secure by default. This section provides an overview of the built-in security features and additional resources should you like to learn more about increasing the security of your system beyond its current level.

The security features built into PC-BSD® include:

Naturally immune to viruses and other malware: most viruses are written to exploit Windows systems and do not understand the binaries or paths found on a PC-BSD® system. Antivirus software is still available in the Security section of AppCafe® as this can be useful if you send or forward email attachments to users running other operating systems.

Potential for serious damage is limited: file and directory ownership and permissions along with separate user and group functions mean that as an ordinary user any program executed will only be granted the abilities and access of that user. A user that is not a member of the wheel group can not switch to administrative access and cannot enter or list the contents of a directory that has not been set for universal access.

Built-in firewall: the default firewall ruleset allows you to access the Internet and the shares available on your network. If there are no shared resources on your network, you can use Firewall Manager to further tighten the default ruleset. In addition, Fail2ban[1] is installed. This service can be configured to identify possible break-in attempts and to respond with an action such as creating a firewall rule to ban the intruder. Instructions for configuring fail2ban can be found on the fail2ban wiki[2].

Built-in Host-based Intrusion Detection System: PC-BSD® installs OSSEC[3] which can be configured to perform log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. If you have never used OSSEC before, take some time to read through its manual[4] to determine which features interest you and how to configure them.

Very few services are enabled by default: you can easily view which services are started at boot time using Service Manager or by reading through /etc/rc.conf. You can also disable the services that you do not use by disabling that service in Service Manager or by commenting out that line with a # in /etc/rc.conf.

SSH is disabled by default: and can only be enabled by the superuser. This setting prevents bots and other users from trying to access your system. If you do need to use SSH, change the "NO" to a "YES" in the line sshd_enable= in the file /etc/rc.conf. You can start the service right away by typing /etc/rc.d/sshd start. You will need to add a firewall rule to allow SSH connections from the systems that require SSH access.

SSH root logins are disabled by default: if you enable SSH, you must login as a regular user and can use su or sudo when you need to perform administrative actions. You should not change this default as this prevents an unwanted user from having complete access to your system.

sudo is installed: and configured to allow users in the wheel group permission to run an administrative command after typing their password. By default, the first user you create during installation is added to the wheel group. You can use User Manager to add other users to this group. You can change the default sudo configuration using the visudo command as the superuser.

AESNI[5] support is loaded by default for the Intel Core i5/i7 processors that support this encryption set. This support speeds up AES encryption and decryption.

Automatic notification of security advisories:Update Manager will automatically notify you if an update is available as the result of a FreeBSD security advisory[6] that affects PC-BSD®. This allows you to keep your operating system fully patched with just the click of a mouse.

If you would like to learn more about security on FreeBSD/PC-BSD® systems, man security is a good place to start. These resources provide more information about security on FreeBSD-based operating systems: